This protocol has another nice feature: The non-signer party in this protocol does not have to be the party who generates the message to be signed. This is a relevant difference to the blind-signature variant.
This means you have the following setup:
online | offline offline
[Application] <---> [Signing Wallet Device] <---> [Verifying Device]
dangerous connection internal connection
Signer and Verifier can prepare a number of choices for u and t like in gmaxwell's Hashtree proposal. After that, the App can request Transactions from the Wallet, and the independent verifier device can verify that they are leak-free. Note that u may contain secret messages, but only the verifying device (which can be offline) knows the u values.